diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..b227cbb --- /dev/null +++ b/flake.lock @@ -0,0 +1,71 @@ +{ + "nodes": { + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1746728054, + "narHash": "sha256-eDoSOhxGEm2PykZFa/x9QG5eTH0MJdiJ9aR00VAofXE=", + "owner": "nix-community", + "repo": "disko", + "rev": "ff442f5d1425feb86344c028298548024f21256d", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "latest", + "repo": "disko", + "type": "github" + } + }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1758463745, + "narHash": "sha256-uhzsV0Q0I9j2y/rfweWeGif5AWe0MGrgZ/3TjpDYdGA=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "3b955f5f0a942f9f60cdc9cacb7844335d0f21c3", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "release-25.05", + "repo": "home-manager", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1759439645, + "narHash": "sha256-oiAyQaRilPk525Z5aTtTNWNzSrcdJ7IXM0/PL3CGlbI=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "879bd460b3d3e8571354ce172128fbcbac1ed633", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-25.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "disko": "disko", + "home-manager": "home-manager", + "nixpkgs": "nixpkgs" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix index 1233659..fda0b39 100644 --- a/flake.nix +++ b/flake.nix @@ -1,15 +1,24 @@ { inputs = { - nixpkgs.url = "github:nixos/nixpkgs?ref=nixos-25.05"; - home-manager.url = "github:nix-community/home-manager/release-25.05"; - home-manager.inputs.nixpkgs.follows = "nixpkgs"; + nixpkgs = { + url = "github:nixos/nixpkgs?ref=nixos-25.05"; + }; + home-manager = { + url = "github:nix-community/home-manager/release-25.05"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + disko = { + url = "github:nix-community/disko/latest"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; - outputs = { self, nixpkgs, home-manager }: { + outputs = { self, nixpkgs, disko, home-manager }: { nixosConfigurations.vm = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; modules = [ ./hosts/vm/configuration.nix + disko.nixosModules.disko home-manager.nixosModules.home-manager { home-manager.useGlobalPkgs = true; home-manager.useUserPackages = true; diff --git a/hosts/vm/configuration.nix b/hosts/vm/configuration.nix index 95526b3..7eb7924 100644 --- a/hosts/vm/configuration.nix +++ b/hosts/vm/configuration.nix @@ -6,6 +6,7 @@ imports = [ ./hard.nix + ./disk.nix ../../modules/bootloader.nix ../../modules/networking.nix ../../modules/users.nix diff --git a/hosts/vm/disk.nix b/hosts/vm/disk.nix new file mode 100644 index 0000000..a6756f3 --- /dev/null +++ b/hosts/vm/disk.nix @@ -0,0 +1 @@ +import ../modules/disko.zfs-encrypted-root.nix diff --git a/hosts/vm/hard.nix b/hosts/vm/hard.nix index f4a5f23..f198f81 100644 --- a/hosts/vm/hard.nix +++ b/hosts/vm/hard.nix @@ -13,15 +13,6 @@ boot.kernelModules = [ "kvm-intel" ]; boot.extraModulePackages = [ ]; - fileSystems."/" = - { device = "/dev/disk/by-uuid/7d406784-bf6b-420e-a956-134f719c8206"; - fsType = "ext4"; - }; - - swapDevices = - [ { device = "/dev/disk/by-uuid/4cbaffdb-0ca2-4735-87d0-eefe994f0e18"; } - ]; - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking # (the default) this is the recommended approach. When using systemd-networkd it's # still possible to use this option, but it's recommended to use it in conjunction diff --git a/modules/disko.zfs-encrypted-root.nix b/modules/disko.zfs-encrypted-root.nix new file mode 100644 index 0000000..871f0cd --- /dev/null +++ b/modules/disko.zfs-encrypted-root.nix @@ -0,0 +1,81 @@ +{ + disko.devices = { + disk = { + root = { + type = "disk"; + device = "/dev/vda"; + content = { + type = "gpt"; + partitions = { + ESP = { + size = "1G"; + type = "EF00"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + mountOptions = [ "nofail" ]; + }; + }; + zfs = { + size = "100%"; + content = { + type = "zfs"; + pool = "zroot"; + }; + }; + }; + }; + }; + }; + zpool = { + zroot = { + type = "zpool"; + rootFsOptions = { + mountpoint = "none"; + compression = "zstd"; + acltype = "posixacl"; + xattr = "sa"; + "com.sun:auto-snapshot" = "true"; + }; + options.ashift = "12"; + datasets = { + "root" = { + type = "zfs_fs"; + options = { + encryption = "aes-256-gcm"; + keyformat = "passphrase"; + #keylocation = "file:///tmp/secret.key"; + keylocation = "prompt"; + }; + mountpoint = "/"; + + }; + "root/nix" = { + type = "zfs_fs"; + options.mountpoint = "/nix"; + mountpoint = "/nix"; + }; + + # README MORE: https://wiki.archlinux.org/title/ZFS#Swap_volume + "root/swap" = { + type = "zfs_volume"; + size = "10M"; + content = { + type = "swap"; + }; + options = { + volblocksize = "4096"; + compression = "zle"; + logbias = "throughput"; + sync = "always"; + primarycache = "metadata"; + secondarycache = "none"; + "com.sun:auto-snapshot" = "false"; + }; + }; + }; + }; + }; + }; +}